Updated July 18th, 2019
Verifications.io, an email verification service, has recently been hacked resulting in the leakage of approximately 1 billion email addresses. Even though the number of leaked email addresses was estimated to be 700 million last week, it is now confirmed to exceed one billion.
The email addresses of approximately 1 billion individuals were exposed in what security professionals believe is one of the biggest email database hacks ever. Leaked personal information included names, date of birth, gender, home address, employer, and the social media accounts associated with the email addresses including Facebook, Instagram, and LinkedIn. Also, some leaked email addresses led to the exposure of information such as credit score and personal mortgage data. Nevertheless, passwords and credit card details were not exposed, yet the leaked information included company names, company websites, yearly revenue figures, etc.
Verifications.io is a company that offered an email verification service that enables marketing companies to check whether or not email lists that they have harvested are associated with real identities. Very little information is available regarding the founders of the company, who are anonymous namely due to the relative dubious strategies adopted by the business.
Security professionals discovered the data breach which involved one of Verifications.io’s online databases that had almost no security protections at all. After the leak was discovered, Verifications.io shut down the service’s official website and has been refraining from commenting on the situation ever since.
The service’s website was taken offline right after Bob Diachenko, a security professional who was the first to discover the data breach, notified the company’s support team. It is still not clear whether or not the leaked data had been accessed by hackers or cybercriminals, who are usually quick whenever data leaks take place. The leaked email addresses and associated data did not appear yet on the dark web.
Diachenko cooperated with Vinny Troya, a cyber security specialist from NightLion Security, to cross-reference the leaked datasets with the HavelBeenPwned database, which includes a list of all data breaches to date. They managed to conclude that data leaked via Verifications.io involved unique records which had never been previously exposed in any database breach collections.
As reported by Diachenko, this is by far the most comprehensive and extensive email address database to ever be leaked. “Upon validation, I was dazzled by the enormous number of email addresses that were made publically available to almost any individual with just an internet connection,” stated Diachenko, “Some of the exposed data was more detailed than merely the email address and involved sensitive personally identifiable information.”
What is Verifications.io all about?
Verifications.io offered internet marketers a service that is centered on validating email address lists. Usually, marketing companies hire third party verification services to accomplish this task due to the extensive time and efforts needed if this was to be done manually. Marketing companies utilize these services to distribute mass email messages to a long list of email addresses which they have to “validate” to confirm whether or not the email addresses belong to real individuals or are still active.
This is mostly accomplished via sending an email message to all email addresses on the list and checking to identify if any of the sent messages bounce. If any of the sent messages bounce, it is simply placed in a special ‘bounce list’, so that it can easily be validated later.
The company, which seems to be headquartered in Estonia, used to send out more than one hundred thousand email messages a day to validate email addresses.
Each one of the email addresses on the list receives their very own spam message saying ‘hi’.
Thereafter, provided that the message does not bounce, the company sends a valid and verified list of email addresses to these marketing companies so they can launch a more focused internet marketing campaign, as stated by Diachenko, who also emphasized that internet marketing companies occasionally hide behind services like this to evade being blacklisted for spamming.
Data breaches similar to Verifications.io’s incident put the victims involved at significant risks of being exposed to not only cold calls and spam emails but also to hack attacks, cyber stalking, and financial fraud.